CVE-2026-2157
OS Command Injection in D-Link DIR-823X /goform/set_static_route_table
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-2157 is a critical OS command injection vulnerability found in the D-Link DIR-823X router, version 250416. It exists in the function sub_4175CC within the file /goform/set_static_route_table. The vulnerability arises from improper handling of the arguments interface, destip, netmask, gateway, and metric, which are used to set static routing tables.
An attacker can manipulate these parameters with crafted input containing newline characters to prematurely terminate the intended UCI configuration command and append arbitrary shell commands. These injected commands are executed with root privileges, allowing full control over the device.
The vulnerability is due to insufficient input sanitization, specifically the failure to filter newline characters, which enables command injection. Exploitation requires authentication but can be performed remotely.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can severely impact the confidentiality, integrity, and availability of the affected device.'}, {'type': 'list_item', 'content': 'An attacker with authentication can execute arbitrary OS commands with root privileges remotely.'}, {'type': 'list_item', 'content': 'Full control over the router can be gained, allowing the attacker to manipulate network configurations, intercept or redirect traffic, or disrupt network services.'}, {'type': 'list_item', 'content': "The device's security can be completely compromised, potentially leading to further attacks on connected networks or devices."}] [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to send crafted POST requests to the /goform/set_static_route_table endpoint on the D-Link DIR-823X router (firmware version 250416). The detection involves injecting newline characters (\\n) into parameters such as interface, destip, netmask, gateway, or metric to see if arbitrary OS commands can be executed.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit uses a Python script that authenticates to the router and sends POST requests with payloads containing newline-injected commands, particularly targeting the gateway parameter.'}, {'type': 'paragraph', 'content': 'Suggested detection commands include crafting POST requests with parameters containing newline characters to test if the router executes injected commands. For example, using curl or similar tools to send requests with payloads like:'}, {'type': 'list_item', 'content': "curl -X POST -d 'interface=eth0&destip=192.168.1.0&netmask=255.255.255.0&gateway=1.1.1.1\\nwhoami&metric=1' http://<router-ip>/goform/set_static_route_table"}, {'type': 'paragraph', 'content': 'If the response or router behavior indicates execution of injected commands (e.g., command output or side effects), the vulnerability is present.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include replacing the affected D-Link DIR-823X router with an alternative device, as no known mitigations or countermeasures have been reported.'}, {'type': 'paragraph', 'content': 'Additional suggested mitigations from the analysis include:'}, {'type': 'list_item', 'content': 'Implement strict whitelisting using regular expressions to ensure parameters only contain valid IP address characters.'}, {'type': 'list_item', 'content': 'Expand the blacklist of forbidden characters to include newline characters (\\n, \\r) and other shell metacharacters such as $ and `.'}, {'type': 'list_item', 'content': 'Replace shell command execution with native API calls (e.g., using libuci) to avoid shell interpretation.'}, {'type': 'list_item', 'content': 'Validate return values of parsing functions (e.g., inet_aton) and reject malformed inputs immediately.'}, {'type': 'paragraph', 'content': "Since exploitation requires authentication, ensure strong authentication credentials and restrict access to the router's management interface."}] [1, 3]